|
|
|
|
|
|
by rmoriz
1605 days ago
|
|
|
As far as I learned, a couple of big companies are sending this kind of mail to every provider, partner or copyright owner of code that they could find. I assume some developer/supplier used curl and provided a list of third party code and licenses they use. In the aftermath of the log4j incident, companies now target everyone about this issue partly to learn about potential exposure that they are not aware yet, eg exploited infrastructure of depending services like newsletter or analytics services. Yes, it's annoying and pointless to spam this mails to open source projects. But at least someone is now behind auditing the supply chain. |
|
|
But obviously, it's not a sound approach to actual vulnerability management.